File System Function Injection, Content Based
Attack Pattern ID: 23 (Standard Attack Pattern Completeness: Complete)Typical Severity: Very HighStatus: Draft
+ Description


An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attacker's program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.

+ Attack Prerequisites

The target software must consume files.

The attacker must have access to modify files that the target software will consume.

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
  • API Abuse
+ Examples-Instances


PHP is a very popular web server. When PHP is used with global variables, a vulnerability may be opened that affects the file system. A standard HTML form that allows for remote users to upload files, may also place those files in a public directory where the attacker can directly access and execute them through a browser. This vulnerability allows remote attackers to execute arbitrary code on the system, and can result in the attacker being able to erase intrusion evidence from system and application logs.

Reference -

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

+ Solutions and Mitigations

Design: Enforce principle of least privilege

Design: Validate all input for content including files. Ensure that if files and remote content must be accepted that once accepted, they are placed in a sandbox type location so that lower assurance clients cannot write up to higher assurance processes (like Web server processes for example)

Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.

Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.

Implementation: Virus scanning on host

Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.

+ Attack Motivation-Consequences
  • Run Arbitrary Code
+ Injection Vector

Payload delivered through standard communication protocols.

+ Payload

Command(s) executed directly on host filesystem

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
77Improper Sanitization of Special Elements used in a Command ('Command Injection')Targeted
23Relative Path TraversalTargeted
22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Targeted
713OWASP Top Ten 2007 Category A2 - Injection FlawsTargeted
715OWASP Top Ten 2007 Category A4 - Insecure Direct Object ReferenceTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern165File Manipulation 
Mechanism of Attack (primary)1000
ChildOfAttack PatternAttack Pattern241Code Injection 
Mechanism of Attack (primary)1000
ChildOfAttack PatternAttack Pattern242Script Injection 
Mechanism of Attack (primary)1000
PeerOfAttack PatternAttack Pattern35Leverage Executable Code in Nonexecutable Files 
Mechanism of Attack1000
PeerOfAttack PatternAttack Pattern44Overflow Binary Resource File 
Mechanism of Attack1000
+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
+ References
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-01-01
Gunnar PetersonCigital, Inc2007-02-28Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-09Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Attack Prerequisites
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback